Richard Bejtlich's blog on digital security, strategic thought, and military history.

Saturday, March 06, 2010

Making a Point with Pressure Points

Imagine you're a martial arts student. One day you have a guest instructor, accompanied by some of his black belts. They're experts in so-called "pressure point fighting." You've heard a little of this system, whereby practitioners can knock out adversaries with a series of precise strikes that lack the power of a brute-force approach. Until today you've had no direct experience. You may be skeptical, or maybe you believe such techniques are possible.

The seminar starts. You watch the guest instructor explain his techniques. He starts knocking out his black belts. Maybe you believe what you see, or maybe you don't. Then the instructor asks for volunteers, and several of your fellow students agree. The instructor knocks them all out, including a student you really trust to not "take a fall" to make the guest "look good." You ask the student "what happened?" and he replies "that dude knocked me out!"

Next the black belts fan out through the class to help teach pressure point techniques. They ask you if you want to get knocked out with a three-strike technique, or if you just want to feel disoriented with a two-strike technique. You decide you're a believer at this point, but you want to see what it feels like to receive a two-strike technique. Sure enough, two rapid strikes later, you're wondering what happened but are still conscious. That's all you need to believe; you're glad you're not lying on the floor, out cold!

The class ends. Several bystanders were watching through the studio's windows. Some of them are laughing. They think the whole class was fake, a joke, or stupid. Some witnesses are curious. They believe what they saw and want to know more. A few ask questions. Others mumble to themselves incoherently, probably intoxicated or mentally ill.

One of the students decides to talk to a famous yet local news reporter about his experience. This widely-read newspaper reports the story the next day, attracting a lot of attention.

With a wider audience, an extended discussion takes place about this pressure-point fighting activity.

One company conducts a Webcast and a spokesperson says "my mom used to knock me out with a frying pan when I was a kid!" He also says there's no difference between pressure-point fighting and getting punched in the face.

Another company decides to register a domain name called "pressurepointfighting.biz" and starts talking about how it works, applying what they know from Western boxing. This misses the mark but uninformed observers can't really tell the difference.

A third company jumps on the pressure point fighting bandwagon, issuing supposedly original research, inventing its own analysis, and integrating the technique into its marketing material. It turns out someone at the company had a confidential agreement with the original pressure point fighting instructor, but unilaterally decided to take a few pages out of his notebook and run to the market to make a fast buck.

A fourth company knows a lot about pressure point fighting. It writes original reporting based on its experience. Critics claim this company is just offering marketing based on the new craze.

Reaction to the news among those without direct experience is mixed, as might be expected.

Some readers are martial artists themselves. They fear being irrelevant. They are afraid their skills are not sufficient. They decide to ridicule anyone who participated in the seminar, or who has knowledge.

Some readers distrust authority. They think these techniques are just a government conspiracy to justify additional police powers. The only reason anyone is talking about such affairs is their need to get greater budgets for their oppressive police powers, man!

Some readers think the whole affair is "fear, uncertainty, and doubt" (FUD). Who could knock out a person by hitting a few pressure points? It's all a lie, or just the latest craze. It must be fake.

Some readers have been learning and practicing pressure point fighting for the last several years. They know it isn't a joke, and it is real. Also, some readers without experience realize they should learn more about pressure point fighting. That knowledge could save their lives, or the lives of those close to them. These like-minded people communicate privately, since the public arenas are now clogged with too many false discussions.

Aside from the fact that advanced persistent threat is an adversary, and not a fighting technique, this story explains the last 6 weeks of APT activity in the security industry. Not all factors are included, but enough to make my point.

Incidentally, the pressure point class is true, at least as far as the class content is described.

21 comments:

About 1/3 of the way through when I realized what you were referring to, I had to scroll back up to see if you had described the pressure technique as: "an Advanced Pressure Technique" because that would have been awesome. ;-)

Analogies are nice and can influence susceptible readers with hidden persuasion techniques leading them down a path chosen for them by the writer, but I prefer reality: http://securityblog.verizonbusiness.com/2010/03/06/im-outta-here/ Dave Kennedy, in my opinion of course, lays out the true state of this matter which for many will be a hard dose to swallow.

The truth of the matter is it is not terribly difficult to cover the news with short snippets, analogies, and opinions, but it is another to roll up your sleeves and do the work. I don't think Richard will disagree with me here, but I could be wrong... as the days of TaoSecurity providing technical insights with actionable content left the building a few years ago. TaoSecurity has become a media outlet focused on security related hot topics and news, which could be compared to the Gleen Beck's coverage of all things related to the Obama administration, but again this is just my opinion. Hmmm, did I just make an analogy?

Don't get me wrong here I don't have any issues with scrutinizing and criticizing companies, security professionals, and/or vendors via a social outlet like this blog, as that is the beauty behind these social outlets. I just hope readers don't base their ideas or make decisions related to these areas based off of analogies and opinions, but instead choose to do the hard research themselves and make well educated decisions for themselves.

Again don't get me wrong I will continue to follow Richard's blog for the same reasons I follow Bruce Schneier's blog... pure entertainment from an outside the box thinker!

Sir - good analogy. Having received the demo in my own dojo from the black belts who accompany the master, I am a believer. It has been both amusing and disconcerting to watch the events and hubbub of the past weeks.

Incidentally Anonymous, if you want to share any of *your* "technical insights with actionable content," please feel free to wow us.

Until then, I'm pretty confident in my training, books, and other writing.

wow, I think you missed my point as well. I was not questioning your aptitude or technical capabilities, as you have shown in the past and I am sure you will show in the future that you are a very competent and intelligent individual. I apologize if it came across that way. I can admit I have read your books, several of your technical articles, and even reviewed some of your training, so by no means am I trying to discredit you or your capabilities. I agree with 90% of your writings and I am humbled by my comment sparking the beating of your chest in defense, as my accomplishments are no where in the same neighborhood of what you have done over the years.

Simply put my point in regards to APT and the coverage from your site and many other sites leaves me with the same frustrations as Dave Kennedy so nicely expressed in his "I'm Outta Here".

I guess I am just not all that good at providing constructive criticism in a non-offending manor. I would love to see you expand your coverage of APT from what it is and how no one knows how to deal with it to suggested starting points for dealing with it and what can be done with current capabilities. I am sure Marcus would enjoy this as well. In doing this I would move your content from "News Like/Media Like" coverage to the actionable content category. ;)

"Aside from the fact that advanced persistent threat is an adversary, and not a fighting technique..."

Don't you think that is a pretty important distinction? The root of this problem, I believe, is that the techniques aren't different, at least according to Mandiant (and I believe you've mentioned this in the past as well). So shouldn't your analogy be more along the lines of the best martial artist in the world using known martial arts techniques for which we have known defenses, albeit potentially ineffective?

Is this really a call for action on the vendor side to get better with their products, or a call to action for enterprises to get better at security, or a little of both?

I guess what I am asking is - how should enterprises change their behavior/activities in response to the APT? I don't believe I have seen this yet from you. (I have posted my impressions on my blog).

I love this analogy because it describes something we see in so many areas. The bystanders and others who don't have first hand knowledge about the subject, are often those spending most time arguing about it in public. And then you have "the Ferengies" who tries to make a profit out of it.

The first time I heard about APT, I believed it to be a new marketing term from someone trying to sell a "security in a box"-kind of product. But I recognized it when I got the explanation about what it was, only that we earlier have used other words to describe it.

I am not going to dive that deep into this analogy in fear of just splitting hairs, although I think it is important to state a few points. Like many of your readers, I have closely observed these discussions from a distance over the last few weeks.

First, I can understand Dave Kennedy's 'tougue-in-cheek' post. Many of us, including me, have had many lighthearted conversations around this same punch-line. In relation, you've mentioned in this post (as well as the past), many readers believe APT to be nothing more than FUD. I can clearly understand and sympathize with this position. Let me explain.

You touched on the fact that several 3rd parties have just jumped on the bandwagon for marketing gain. This is expected and will always happen - nothing new. While I have followed the APT discussions for some time, I believe the reporting that gained traction for many people on APT appeared to contain much of the same marketing-speak and FUD as those 3rd parties. I believe someone else commented on this as well:

Bottom Line: People need the original message (keep in mind your introduction to APT is quite different than most) to be FUD-free. If not, they cannot distinguish the truth from hype and subsequently lump everything into the later category.

I agree with you that many of the debates regarding APT are clearly counterproductive and ridiculous. Personally, I don't care who invented the term or when the term came into existence. What I do care about is, 'Does utilizing the term APT have any value for the parties targeted?'. This is the group I am concerned about. Let's look at this from a risk view point. Clearly you are familiar with the the NIST SP 800-30 guide, given you referenced it in a past post:

For the sake of argument, let's assume what you would call an 'APT-targeted entity' performed a risk assessment sometime in the past. In this process they have defined specific threat sources (i.e. actors, intrusion sets) and one of these these sources goes by the name of 'industrial espionage'. This threat source encompasses the same actors as APT. Motivation for this threat source and threat actions are also identical to APT. At most, APT simply appears to be a sub-category to an already defined threat source. I'm sure the argument will be made that APT are persistent, well-organized, and well-funded. But, isn't most organized parties conducting espionage exhibiting these traits today? This is more a matter of evolution.

Let me be clear, I do see the value of the term APT for LE, CIRTs, and various agencies investigating these attacks. As you have mentioned in the past (http://taosecurity.blogspot.com/2010/01/is-apt-after-you.html), these terms 'keep various parties on the same page when speaking with defense partners.'

For the targets though, their primary concern is protecting their assets - not making sure LE is on the same page. IMHO, introducing yet another term is of no value to them. These targets can already reassess their risk (and they should sooner, than later) in regards to a threat agent (i.e. espionage) already defined. My concern is that if they are expected to introduce every buzzword associated with a specific threat source into their risk assessments, they will quickly loss sight of the big picture. By continuing down the current path of the last 6 weeks, this may already be an issue.

One major comment. APT is a "proper noun." It's not a vague term. It refers to real actors.

I did not mean to misrepresent the term. That is why I explicitly referred to the APT, as a threat source. Not sure where I went wrong? Regardless of the words I choose, there is clearly not the consensus in the media regarding its definition today.

In regards to my comment, ""But, isn't most organized parties conducting espionage exhibiting these traits today? This is more a matter of evolution."

Let me clarify a bit. The coordinated attacks against 30+ firms that have been attributed to APT are clearly impressive. The most impressive trait was the level of target-specific customization and multi-attack vectors that were utilized for entry. While this is the first time this level of sophistication has been observed, others will indeed up the ante in the future. Attacks will always advance as our defenses improve.

Also, what is keeping other organized parties from achieving this level of sophistication? If we consider APT as a business (which is not far from the truth), what are the barriers of entry for these other organized parties? If barriers do not exist, others can easily achieve the same objectives as APT and will in the future. Moving us on to the next wave of attacks; evolution.

"The most impressive trait was the level of target-specific customization and multi-attack vectors that were utilized for entry. While this is the first time this level of sophistication has been observed..."

That's not true. That's what the media is printing and what some security companies are writing, but only because they only know part of the story. The worst part of any APT incident is not the entry vector or target customization. The worst part is how deeply entrenched the intruder becomes in the victim.

This is also not the first time this techniques have been used to attack or gain entry to victims. It's common.

Very good analogy. I would have taken it a step further and also said that the 'pressure points' technique has been around for a very long time and is not new, and neither is APT. Other than that, your characterization of the security industry is spot on.

I agree that the term adversary presents the issue in a better understandable light than the advanced persistent "threat of the week" terminology.

I have seen very few discussions regarding what is required to resist such persistent attacks. As an example, would not greater use of high assurance systems at key "puncture points" in a network be one step? What about immutable audit logs to resist anti-forensics tools, if they are involved?

I find it odd that I am constantly asked what I think we should do about these intruders. Do blog readers think I have been advocating certain defensive measures for the last 7+ years in this blog and earlier, elsewhere, ignorant of the capability of intruders to act at this level?

I recall your posts about trustworthy computers, but most of the discussion elsewhere has been focused on the inadequacies of the "same-old, same-old", which you have written as not being enough, with no proposed alternatives.

"That's not true. That's what the media is printing and what some security companies are writing, but only because they only know part of the story. The worst part of any APT incident is not the entry vector or target customization. The worst part is how deeply entrenched the intruder becomes in the victim."

Obviously, as you have stated, many (including I) have focused in on the wrong areas. Unfortunately, this is easy to do when the facts are fragmented and given to you by 1st and 2nd hand parties.

I do not fault those directly involved. I would like to believe they have shared whatever intel they could publicly and that information has not been skewed. I have experienced firsthand how high-profile investigations can take on a life of their own, once they hit the media - often taken way off track and injected with false information. I'm hopeful additional information from those directly involved will come to light in the long run.